When merchants sign a contract that has a payment processor, they agree to be subject to fines if they are unsuccessful to take care of PCI DSS compliance. PCI compliance is split into four levels, according to the once-a-year quantity of credit rating or debit card transactions a company processes. https://www.nathanlabsadvisory.com/red-team-exercise.html
